I'm refactoring some very old code where getAdministrativeResourceResolver is used.
There is a function that reads and creates content on behalf of another user. Impersonation is used for that purpose. But If I change getAdministrativeResourceResolver to getServiceResourceResolver even with service user that is member of administrators group, I'm not able to impersonate:
org.apache.sling.api.resource.LoginException: Impersonation not allowed.
Finally I found a workaround: impersonate service user to admin first and then impersonate admin to user:
Map<String,Object> authenticationInfo = new HashMap<String,Object>();
authenticationInfo.put(ResourceResolverFactory.USER_IMPERSONATION, "admin");
try (ResourceResolver adminResourceResolver = resourceResolverFactory.getServiceResourceResolver(authenticationInfo)) {
Session adminSession = adminResourceResolver.adaptTo(Session.class);
SimpleCredentials userCreds = new SimpleCredentials(username, new char[0]);
Session userSession = adminSession.impersonate(userCreds);
logger.info("impersonated user:" + userSession.getUserID());
} catch(Exception e) {
logger.error("Cannot login", e);
}
It seems to work. But wouldn't be better to leave original deprecated getAdministrativeResourceResolver instead of such a ugly workaround?
What is the proper solution of this use case?
Thanks,
--- Jaroslav
